Compliance

Bring security baselines, licenses, and vulnerability status into one place to support supply chain security operations and regulatory readiness.

Compliance Overview

The compliance module in Hexamind Platform provides three core management capabilities for software supply chain security operations.

Security Baseline

Document and manage the minimum security requirements your organization expects. Linking a baseline to projects helps teams review and follow up more consistently.

License Management

Identify open source license posture and potential conflicts early. This helps teams triage legal review candidates and organize evidence for supply chain documentation.

Unified Vulnerability View

Search and manage vulnerabilities across all projects in a single view. It becomes much easier to see which products are affected by a specific CVE.

Security Baseline

Document the minimum security requirements for your organization and link them to projects and environments to build a foundation for consistent security operations.

A security baseline defines the minimum security requirements that all software in your organization should meet.

• Define patching deadlines by severity level

• Specify allowed or restricted license categories

• Declare security requirements for external communications

• Set approval criteria for deployment environments

Register a Baseline Guideline

Each guideline captures name, version, category, publisher, validity period, and supporting documents, providing a structured record of policy history and revisions.

Applying Baselines to Projects

Guidelines can be applied globally, per project, or per environment, giving teams the flexibility to adjust scope to fit their organizational structure.

License Management

Assess open source license posture by project and surface potential conflicts early, so components that need legal review are identified before they reach distribution.

Why License Violations Matter

Some licenses may require source disclosure or legal review depending on use, distribution model, and modification. This area is meant for early risk triage, not as a substitute for final legal review.

License Database

Browse the SPDX license catalog to review conditions, caveats, and patent-related considerations.

Common license families:

Permissive: relatively flexible for commercial delivery with fewer restrictions

Weak Copyleft: conditions depend on linking approach and modification scope

Strong Copyleft: distribution structure may trigger disclosure obligations

Network Copyleft: may require review even in network-delivered service models

Project Licenses

View all open source components used in a project from the perspective of their licenses. This makes it easy to identify, for example, which projects use GPL-family licenses.

License Conflict Analysis

Analyze potential conflicts inside a project using SPDX compatibility rules as a baseline.

How to Interpret Conflict Results

This analysis is intended for early risk selection in supply chain operations. Final interpretation still depends on delivery structure, contracts, and legal review.

FAIL: licenses that may impose disclosure obligations are present in critical deliverables

WARNING: interpretation may vary based on how the software is linked or distributed

PASS: a relatively low-conflict composition such as MIT, Apache-2.0, and BSD families

Unified Vulnerability View

Consolidate vulnerabilities from every project into a single view and quickly assess organizational impact across your entire portfolio.

This view complements project-level deep review with organization-wide visibility. Placing vulnerabilities at the center makes it easy to see which products and versions are affected at a glance.

When a new CVE is reported or urgent patching is needed, you can immediately identify affected projects and versions and narrow the response scope without manually checking each product.

Difference from Security Advisory

Security Advisory → Audit is optimized for deep analysis state tracking and project-level discussion, while Compliance → Vulnerability is optimized for cross-project search and broad visibility.

Security Advisory

Security & Policy

Compliance

Bring security baselines, licenses, and vulnerability status into one place to support supply chain security operations and regulatory readiness.

Compliance Overview

The compliance module in Hexamind Platform provides three core management capabilities for software supply chain security operations.

Security Baseline

Document and manage the minimum security requirements your organization expects. Linking a baseline to projects helps teams review and follow up more consistently.

License Management

Identify open source license posture and potential conflicts early. This helps teams triage legal review candidates and organize evidence for supply chain documentation.

Unified Vulnerability View

Search and manage vulnerabilities across all projects in a single view. It becomes much easier to see which products are affected by a specific CVE.

Security Baseline

Document the minimum security requirements for your organization and link them to projects and environments to build a foundation for consistent security operations.

A security baseline defines the minimum security requirements that all software in your organization should meet.

• Define patching deadlines by severity level

• Specify allowed or restricted license categories

• Declare security requirements for external communications

• Set approval criteria for deployment environments

Register a Baseline Guideline

Each guideline captures name, version, category, publisher, validity period, and supporting documents, providing a structured record of policy history and revisions.

Applying Baselines to Projects

Guidelines can be applied globally, per project, or per environment, giving teams the flexibility to adjust scope to fit their organizational structure.

License Management

Assess open source license posture by project and surface potential conflicts early, so components that need legal review are identified before they reach distribution.

Why License Violations Matter

License Database

Browse the SPDX license catalog to review conditions, caveats, and patent-related considerations.

Common license families:

Permissive: relatively flexible for commercial delivery with fewer restrictions

Weak Copyleft: conditions depend on linking approach and modification scope

Strong Copyleft: distribution structure may trigger disclosure obligations

Network Copyleft: may require review even in network-delivered service models

Project Licenses

View all open source components used in a project from the perspective of their licenses. This makes it easy to identify, for example, which projects use GPL-family licenses.

License Conflict Analysis

Analyze potential conflicts inside a project using SPDX compatibility rules as a baseline.

How to Interpret Conflict Results

This analysis is intended for early risk selection in supply chain operations. Final interpretation still depends on delivery structure, contracts, and legal review.

FAIL: licenses that may impose disclosure obligations are present in critical deliverables

WARNING: interpretation may vary based on how the software is linked or distributed

PASS: a relatively low-conflict composition such as MIT, Apache-2.0, and BSD families

Unified Vulnerability View

Consolidate vulnerabilities from every project into a single view and quickly assess organizational impact across your entire portfolio.

This view complements project-level deep review with organization-wide visibility. Placing vulnerabilities at the center makes it easy to see which products and versions are affected at a glance.

When a new CVE is reported or urgent patching is needed, you can immediately identify affected projects and versions and narrow the response scope without manually checking each product.

Difference from Security Advisory

Security Advisory → Audit is optimized for deep analysis state tracking and project-level discussion, while Compliance → Vulnerability is optimized for cross-project search and broad visibility.

Security Advisory

Security & Policy